conf: overhaul sessions settings (#5952)

CHANGELOG.md

@@ -30,6 +30,8 @@ All notable changes to Gogs are documented in this file.
 - Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] RESET_PASSWORD_CODE_LIVES`.
 - Configuration option `[auth] ENABLE_CAPTCHA` is deprecated and will end support in 0.13.0, please start using `[auth] ENABLE_REGISTRATION_CAPTCHA`.
 - Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`.
+- Configuration option `[session] GC_INTERVAL_TIME` is deprecated and will end support in 0.13.0, please start using `[session] GC_INTERVAL`.
+- Configuration option `[session] SESSION_LIFE_TIME` is deprecated and will end support in 0.13.0, please start using `[session] MAX_LIFE_TIME`.
 
 ### Fixed
 
@@ -49,6 +51,7 @@ All notable changes to Gogs are documented in this file.
 - Configuration option `[server] STATIC_ROOT_PATH`
 - Configuration option `[repository] MIRROR_QUEUE_LENGTH`
 - Configuration option `[repository] PULL_REQUEST_QUEUE_LENGTH`
+- Configuration option `[session] ENABLE_SET_COOKIE`
 
 ---
 

conf/app.ini

@@ -225,6 +225,25 @@ REVERSE_PROXY_AUTHENTICATION_HEADER = X-WEBAUTH-USER
 ; Whether to enable email notifications for users.
 ENABLE_EMAIL_NOTIFICATION = false
 
+[session]
+; The session provider, either "memory", "file", or "redis".
+PROVIDER = memory
+; The configuration for respective provider:
+; - memory: does not need any config yet
+; - file: session file path, e.g. `data/sessions`
+; - redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+PROVIDER_CONFIG = data/sessions
+; The cookie name to store the session identifier.
+COOKIE_NAME = i_like_gogs
+; Whether to set cookie in HTTPS only.
+COOKIE_SECURE = false
+; The GC interval in seconds for session data.
+GC_INTERVAL = 3600
+; The maximum life time in seconds for a session.
+MAX_LIFE_TIME = 86400
+; The cookie name for CSRF token.
+CSRF_COOKIE_NAME = _csrf
+
 ; Attachment settings for releases
 [release.attachment]
 ; Whether attachments are enabled. Defaults to `true`
@@ -285,28 +304,6 @@ INTERVAL = 60
 ; memcache: `127.0.0.1:11211`
 HOST =
 
-[session]
-; Either "memory", "file", or "redis", default is "memory"
-PROVIDER = memory
-; Provider config options
-; memory: not have any config yet
-; file: session file path, e.g. `data/sessions`
-; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
-; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-PROVIDER_CONFIG = data/sessions
-; Session cookie name
-COOKIE_NAME = i_like_gogs
-; If you use session in https only, default is false
-COOKIE_SECURE = false
-; Enable set cookie, default is true
-ENABLE_SET_COOKIE = true
-; Session GC time interval, default is 3600
-GC_INTERVAL_TIME = 3600
-; Session life time, default is 86400
-SESSION_LIFE_TIME = 86400
-; Cookie name for CSRF
-CSRF_COOKIE_NAME = _csrf
-
 [picture]
 ; Path to store user uploaded avatars
 AVATAR_UPLOAD_PATH = data/avatars

conf/locale/locale_en-US.ini

@@ -1267,6 +1267,15 @@ config.auth.reverse_proxy_authentication_header = Reverse proxy authentication h
 config.user_config = User configuration
 config.user.enable_email_notify = Enable email notification
 
+config.session_config = Session configuration
+config.session.provider = Provider
+config.session.provider_config = Provider config
+config.session.cookie_name = Cookie
+config.session.https_only = HTTPS only
+config.session.gc_interval = GC interval
+config.session.max_life_time = Max life time
+config.session.csrf_cookie_name = CSRF cookie
+
 config.log_file_root_path = Log File Root Path
 
 config.http_config = HTTP Configuration
@@ -1286,16 +1295,6 @@ config.cache_adapter = Cache Adapter
 config.cache_interval = Cache Interval
 config.cache_conn = Cache Connection
 
-config.session_config = Session Configuration
-config.session_provider = Session Provider
-config.provider_config = Provider Config
-config.cookie_name = Cookie Name
-config.enable_set_cookie = Enable Set Cookie
-config.gc_interval_time = GC Interval Time
-config.session_life_time = Session Life Time
-config.https_only = HTTPS Only
-config.cookie_life_time = Cookie Life Time
-
 config.picture_config = Picture Configuration
 config.picture_service = Picture Service
 config.disable_gravatar = Disable Gravatar

internal/cmd/web.go

@@ -142,10 +142,18 @@ func newMacaron() *macaron.Macaron {
 	m.Use(captcha.Captchaer(captcha.Options{
 		SubURL: conf.Server.Subpath,
 	}))
-	m.Use(session.Sessioner(conf.SessionConfig))
+	m.Use(session.Sessioner(session.Options{
+		Provider:       conf.Session.Provider,
+		ProviderConfig: conf.Session.ProviderConfig,
+		CookieName:     conf.Session.CookieName,
+		CookiePath:     conf.Server.Subpath,
+		Gclifetime:     conf.Session.GCInterval,
+		Maxlifetime:    conf.Session.MaxLifeTime,
+		Secure:         conf.Session.CookieSecure,
+	}))
 	m.Use(csrf.Csrfer(csrf.Options{
 		Secret:     conf.Security.SecretKey,
-		Cookie:     conf.CSRFCookieName,
+		Cookie:     conf.Session.CSRFCookieName,
 		SetCookie:  true,
 		Header:     "X-Csrf-Token",
 		CookiePath: conf.Server.Subpath,

internal/conf/conf.go

@@ -17,7 +17,6 @@ import (
 
 	_ "github.com/go-macaron/cache/memcache"
 	_ "github.com/go-macaron/cache/redis"
-	"github.com/go-macaron/session"
 	_ "github.com/go-macaron/session/redis"
 	"github.com/mcuadros/go-version"
 	"github.com/pkg/errors"
@@ -254,6 +253,14 @@ func Init(customConf string) error {
 		return errors.Wrap(err, "mapping [user] section")
 	}
 
+	// ***********************************
+	// ----- Session settings -----
+	// ***********************************
+
+	if err = File.Section("session").MapTo(&Session); err != nil {
+		return errors.Wrap(err, "mapping [session] section")
+	}
+
 	handleDeprecated()
 
 	// TODO
@@ -460,10 +467,6 @@ var (
 	CacheInterval int
 	CacheConn     string
 
-	// Session settings
-	SessionConfig  session.Options
-	CSRFCookieName string
-
 	// Cron tasks
 	Cron struct {
 		UpdateMirror struct {
@@ -696,23 +699,8 @@ func newCacheService() {
 	log.Trace("Cache service is enabled")
 }
 
-func newSessionService() {
-	SessionConfig.Provider = File.Section("session").Key("PROVIDER").In("memory",
-		[]string{"memory", "file", "redis", "mysql"})
-	SessionConfig.ProviderConfig = strings.Trim(File.Section("session").Key("PROVIDER_CONFIG").String(), "\" ")
-	SessionConfig.CookieName = File.Section("session").Key("COOKIE_NAME").MustString("i_like_gogs")
-	SessionConfig.CookiePath = Server.Subpath
-	SessionConfig.Secure = File.Section("session").Key("COOKIE_SECURE").MustBool()
-	SessionConfig.Gclifetime = File.Section("session").Key("GC_INTERVAL_TIME").MustInt64(3600)
-	SessionConfig.Maxlifetime = File.Section("session").Key("SESSION_LIFE_TIME").MustInt64(86400)
-	CSRFCookieName = File.Section("session").Key("CSRF_COOKIE_NAME").MustString("_csrf")
-
-	log.Trace("Session service is enabled")
-}
-
 func NewServices() {
 	newCacheService()
-	newSessionService()
 }
 
 // HookMode indicates whether program starts as Git server-side hook callback.

internal/conf/static.go

@@ -211,6 +211,22 @@ var (
 	User struct {
 		EnableEmailNotification bool
 	}
+
+	// Session settings
+	Session struct {
+		Provider       string
+		ProviderConfig string
+		CookieName     string
+		CookieSecure   bool
+		GCInterval     int64 `ini:"GC_INTERVAL"`
+		MaxLifeTime    int64
+		CSRFCookieName string `ini:"CSRF_COOKIE_NAME"`
+
+		// Deprecated: Use GCInterval instead, will be removed in 0.13.
+		GCIntervalTime int64 `ini:"GC_INTERVAL_TIME"`
+		// Deprecated: Use MaxLifeTime instead, will be removed in 0.13.
+		SessionLifeTime int64
+	}
 )
 
 // handleDeprecated transfers deprecated values to the new ones when set.
@@ -268,4 +284,13 @@ func handleDeprecated() {
 		User.EnableEmailNotification = true
 		Auth.EnableNotifyMail = false
 	}
+
+	if Session.GCIntervalTime > 0 {
+		Session.GCInterval = Session.GCIntervalTime
+		Session.GCIntervalTime = 0
+	}
+	if Session.SessionLifeTime > 0 {
+		Session.MaxLifeTime = Session.SessionLifeTime
+		Session.SessionLifeTime = 0
+	}
 }

internal/route/admin/admin.go

@@ -205,6 +205,7 @@ func Config(c *context.Context) {
 	c.Data["Email"] = conf.Email
 	c.Data["Auth"] = conf.Auth
 	c.Data["User"] = conf.User
+	c.Data["Session"] = conf.Session
 
 	c.Data["LogRootPath"] = conf.LogRootPath
 
@@ -216,8 +217,6 @@ func Config(c *context.Context) {
 	c.Data["CacheInterval"] = conf.CacheInterval
 	c.Data["CacheConn"] = conf.CacheConn
 
-	c.Data["SessionConfig"] = conf.SessionConfig
-
 	c.Data["DisableGravatar"] = conf.DisableGravatar
 	c.Data["EnableFederatedAvatar"] = conf.EnableFederatedAvatar
 

internal/route/user/auth.go

@@ -66,7 +66,7 @@ func AutoLogin(c *context.Context) (bool, error) {
 	isSucceed = true
 	c.Session.Set("uid", u.ID)
 	c.Session.Set("uname", u.Name)
-	c.SetCookie(conf.CSRFCookieName, "", -1, conf.Server.Subpath)
+	c.SetCookie(conf.Session.CSRFCookieName, "", -1, conf.Server.Subpath)
 	if conf.Security.EnableLoginStatusCookie {
 		c.SetCookie(conf.Security.LoginStatusCookieName, "true", 0, conf.Server.Subpath)
 	}
@@ -130,7 +130,7 @@ func afterLogin(c *context.Context, u *db.User, remember bool) {
 	c.Session.Delete("twoFactorUserID")
 
 	// Clear whatever CSRF has right now, force to generate a new one
-	c.SetCookie(conf.CSRFCookieName, "", -1, conf.Server.Subpath)
+	c.SetCookie(conf.Session.CSRFCookieName, "", -1, conf.Server.Subpath)
 	if conf.Security.EnableLoginStatusCookie {
 		c.SetCookie(conf.Security.LoginStatusCookieName, "true", 0, conf.Server.Subpath)
 	}
@@ -285,7 +285,7 @@ func SignOut(c *context.Context) {
 	c.Session.Destory(c.Context)
 	c.SetCookie(conf.Security.CookieUsername, "", -1, conf.Server.Subpath)
 	c.SetCookie(conf.Security.CookieRememberName, "", -1, conf.Server.Subpath)
-	c.SetCookie(conf.CSRFCookieName, "", -1, conf.Server.Subpath)
+	c.SetCookie(conf.Session.CSRFCookieName, "", -1, conf.Server.Subpath)
 	c.SubURLRedirect("/")
 }
 

templates/admin/config.tmpl

@@ -289,7 +289,6 @@
 					</dl>
 				</div>
 
-
 				{{/* User settings */}}
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.user_config"}}
@@ -301,6 +300,29 @@
 					</dl>
 				</div>
 
+				{{/* Session settings */}}
+				<h4 class="ui top attached header">
+					{{.i18n.Tr "admin.config.session_config"}}
+				</h4>
+				<div class="ui attached table segment">
+					<dl class="dl-horizontal admin-dl-horizontal">
+						<dt>{{.i18n.Tr "admin.config.session_provider"}}</dt>
+						<dd>{{.Session.Provider}}</dd>
+						<dt>{{.i18n.Tr "admin.config.session.provider_config"}}</dt>
+						<dd><code>{{.Session.ProviderConfig}}</code></dd>
+						<dt>{{.i18n.Tr "admin.config.session.cookie_name"}}</dt>
+						<dd>{{.Session.CookieName}}</dd>
+						<dt>{{.i18n.Tr "admin.config.session.https_only"}}</dt>
+						<dd><i class="fa fa{{if .Session.CookieSecure}}-check{{end}}-square-o"></i></dd>
+						<dt>{{.i18n.Tr "admin.config.session.gc_interval"}}</dt>
+						<dd>{{.Session.GCInterval}} {{.i18n.Tr "tool.raw_seconds"}}</dd>
+						<dt>{{.i18n.Tr "admin.config.session.max_life_time"}}</dt>
+						<dd>{{.Session.MaxLifeTime}} {{.i18n.Tr "tool.raw_seconds"}}</dd>
+						<dt>{{.i18n.Tr "admin.config.session.csrf_cookie_name"}}</dt>
+						<dd>{{.Session.CSRFCookieName}}</dd>
+					</dl>
+				</div>
+
 				<!-- HTTP Configuration -->
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.http_config"}}
@@ -348,28 +370,6 @@
 					</dl>
 				</div>
 
-				<h4 class="ui top attached header">
-					{{.i18n.Tr "admin.config.session_config"}}
-				</h4>
-				<div class="ui attached table segment">
-					<dl class="dl-horizontal admin-dl-horizontal">
-						<dt>{{.i18n.Tr "admin.config.session_provider"}}</dt>
-						<dd>{{.SessionConfig.Provider}}</dd>
-						<dt>{{.i18n.Tr "admin.config.provider_config"}}</dt>
-						<dd><code>{{.SessionConfig.ProviderConfig}}</code></dd>
-						<dt>{{.i18n.Tr "admin.config.cookie_name"}}</dt>
-						<dd>{{.SessionConfig.CookieName}}</dd>
-						<dt>{{.i18n.Tr "admin.config.gc_interval_time"}}</dt>
-						<dd>{{.SessionConfig.Gclifetime}} {{.i18n.Tr "tool.raw_seconds"}}</dd>
-						<dt>{{.i18n.Tr "admin.config.session_life_time"}}</dt>
-						<dd>{{.SessionConfig.Maxlifetime}} {{.i18n.Tr "tool.raw_seconds"}}</dd>
-						<dt>{{.i18n.Tr "admin.config.https_only"}}</dt>
-						<dd><i class="fa fa{{if .SessionConfig.Secure}}-check{{end}}-square-o"></i></dd>
-						<dt>{{.i18n.Tr "admin.config.cookie_life_time"}}</dt>
-						<dd>{{.SessionConfig.CookieLifeTime}} {{.i18n.Tr "tool.raw_seconds"}}</dd>
-					</dl>
-				</div>
-
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.picture_config"}}
 				</h4>